Dave G. | May 30th, 2008 | Filed Under: Industry Punditry
Before I comment. Yes, that’s right. Dino Dai Zovi is now a blogger. What’s next… twitter? I thought he only runs web browsers to find quicktime vulnerabilities?
Ok, enough tomfoolery. Dino writes about Mac OS X vulnerability statistics. Based on the information provided by Apple Security Updates, he shows:
Internal: 44
External: 53
Upstream: 84
Then gives a rule of thumb vis-a-vis internal vulnerability finding:
[vendors] should be finding and fixing at least as many vulnerabilities in shipping products as external researchers are.
I’d actually argue differently. Most vendors should have been finding these bugs before shipping. If you are continuing to find bugs in your product after you shipped it, you probably didn’t invest enough in security prior to release.
These statistics are also really hard for external folks to really know because, organizations patch things silently more often than you’d think. Sometimes it’s intentional, sometimes it gets fixed as a reliability bug or someone just changes the code. And that’s not all:
- Just because an external party didn’t receive credit, doesn’t mean it was found internally.
- Just because an external party did receive credit, doesn’t mean it wasn’t found internally.
Here is what I think it really fascinating about these stats:
Almost half of the individual flaws Apple has had to fix were due to code that Apple doesn’t actually own. I do not envy any vendor that has to manage that. It’s a nightmare for everyone.
This also extends past Apple. Everyday, enterprises purchase applications (think enterprise oriented web apps) that ship with third-party code (e.g. OpenSSL, mysql, apache, Oracle). How many of those do you think get updated regularly?
1 Comment
Dave G. | May 27th, 2008 | Filed Under: Gatherings
For those of you in the DC area, CapSecDC will be held tomorrow @ 7PM at:
Stetson’s
1610 U St NW
Washington DC 20009
You can walk there from Metro, either the U Street Cardoza Metro on the Green/Yellow, or Dupont on the Red line. They will hopefully be out back in the patio.
No Comments
Jeremy Rauch | May 19th, 2008 | Filed Under: NYSec
Third Tuesday tomorrow (5/20) — its time for NYSec.
6PM at Pound + Pence. Pound + Pence is located at 55 Liberty St, at the corner of Liberty and Nassau. Its easily accessed from just about any of the subway lines, the PATH, NY Waterway, etc.
We’ve been seated in different areas the last few meetings. Rather than wander aimlessly around the bar, I’d recommend asking at the front where the NYSec people are. They should send you our way.
No Comments
Dave G. | May 5th, 2008 | Filed Under: Industry Punditry
Race To Zero is an event that pits hacker-types against an array of AV products. Unofficially hosted at DEFCON this year, it has already sparked the ire of the AV community. This makes sense as we all know that there is little they can do to stop researchers from writing malware that will be undetectable (until their next update). From their perspective, it is a waste of time. And that is somewhat true. Especially their time.
This type of event, along with the Consumer Reports test of 2006, runs the risk of wasting the AV community’s time. Which if we all recall, had no negative impact on society (or even AV vendors). Even still, I acknowledge it is a pain in the ass for them. A combination of bad press, plus a bunch of really crappy malware samples that have to documented, analyzed, detected and removed even though they will most likely never, ever impact a person outside of a lab environment.
The idea that the AV company’s are getting free research is pretty ludicrous. All that happens is that they will have to analyze as many of these modified viruses to figure out how to detect them. It is just another day at the office.
Which gets to the heart of the matter:
This contest isn’t a contest. This contest is a protest. It is a protest against the fact that there is simply not enough innovation in the anti-malware space. The problem is getting worse and all of the solutions appear to come from the same tunnel-vision line of thought. The vendors that do this have successful businesses that run just fine. New malware will get fixed with the same old solution.
The take-away isn’t going to be research that will help the AV industry to see emerging techniques. It will be that there has has to be another way. Events like this should inspire someone fresh to come in and build a better mousetrap, and build the next MFE or SYMC.
14 Comments
Eric Monti | May 1st, 2008 | Filed Under: Uncategorized
It seems our old link to Black Bag on here went bad some time ago. We’ve been getting lots of requests for a new link.
P.S. Thanks to Marcin, for pointing us at sockpuppet. Nobody at Matasano could seem to remember where we’d seen it last!
You may notice the minor version number bumped. In the process of digging up a working tarball, I took the opportunity to make two very trivial tweaks:
- Fixed a small bug in tsec.c that was causing “make” to fail.
- Added offsets to deeze’s output (culled from the silly little patch I mentioned in my last post)
2 Comments
